In a recent security report by cybersecurity firm Intezer, they reported that a huge spike of malware strains being coded in Go programming has increased about 2,000% in recent years.
This new trend was backed by this report that malware writers are actually moving away from C and C++ to Go. This language was released back in 2007 by Google. The first malware written in Go was discovered in 2012.
Intezer states "Before 2019, spotting malware written in Go was more a rare occurrence and during 2019 it became a daily occurrence," Now that has changed since Golang is now becoming common.
Why is it so popular all of a sudden? Well due to Go is fairly easy to be cross-platform. Which in turn allows Malware writers to only needing to write code once and put in binaries from other platforms to be able to cross-platform. So, they can target Windows, Mac, and Linux. Making the malware versatile, another reason is how Golang binaries are a pain to analyze and reverse engineer by security researchers. For Malware writers that's extremely good as it makes the malware detection lower.
The final reason is how Go is built to work extremely well with network packets and requests, it has cloud-native applications already built into it. It's easy to work with especially when it comes to C++ network services.
It's a big plus for these malware writers/developers to have everything they need in one place. Saves them time and probably headaches so it's no wonder Golang malware's are popular all of a sudden.
"Many of these malware [families] are botnets targeting Linux and IoT devices to either install crypto miners or enroll the infected machine into DDoS botnets. Also, ransomware has been written in Go and appears to become more common," (Intezer, 2021)
Here are some of the malware seen using Golang in the past year:
Zebrocy - Russian state-sponsored group APT28 created a Go-based version of their Zebrocy malware.
WellMess - Russian state-sponsored group APT29 deployed new upgraded versions of their Go-based WellMess malware.
Godlike12 - A Chinese state-sponsored group deployed Go-based backdoors for attacks on the Tibetan community.
Go Loader - The China-linked Mustang Panda APT deployed a new Go-based loader.
GOSH - The infamous Carbanak group deployed a new RAT named GOSH written in Golang back in August.
Glupteba - New versions of the Glupteba loader were seen in 2020, more advanced than ever.
A new RAT targeting Linux servers running Oracle WebLogic was seen by Bitdefender.
CryptoStealer.Go - New and improved versions of the CryptoStealer.Go malware was seen in 2020. This malware targets cryptocurrency wallets and browser passwords.